Linux debugfs Hack: Undelete Files

Undeletion means restoring files which have been deleted from Linux ext3 file system using rm command. Deleted files can be recovered on ext3 file systems using the debugfs program. This quick tutorial describes how to recover a file that was recently deleted using nothing but standard Linux command line utilities. Only sys administrators and root user can view and recover the deleted files using debugfs command. You need to immediately unmount the file system the deleted file was located on to minimizes the risk that the data of the deleted file are overwritten by other users or system process.

If your file system is on /dev/sda2, enter:# debugfs -w /dev/sda2 If your file system is on /dev/mapper/wks01-root, enter:# debugfs -w /dev/mapper/wks01-root After some time, you will be presented with debugfs: prompt as follows:

A note about easy to use tool called photorec

Now, you know basic hacks for recovering files under ext3 or ext4. However, I strongly recommend that you make backups. It cannot be stressed enough how important it is to make a backup. Another, option is PhotoRec software. It is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. PhotoRec is free - this open source multi-platform application is distributed under GNU General Public License (GPLV v2+). PhotoRec is a companion program to TestDisk, an app for recovering lost partitions on a wide variety of file systems and making non-bootable disks bootable again. You can download them from this link. You can install testdisk using the following apt-get command or yum command:# yum install testdisk OR# apt-get install testdisk To recover files simply type:# photorec Stay tuned, for more information on photorec and testdisk data recovery tools. I recommend that you view the manual page on debugfs using the following command for more information:$ man debugfs

Thanks Roy, Its a RHEL 5.5 with ext3. I will try with the latest one. I could recover the file using the inode but in real life incident we wont know the inode of a deleted file. I have not tried testdisk yet, I will give it a try now.

I did try this and found that “lsdel” will not give you any result. So i tried option ls -d and it worked. You can use ls -d inside debugfs prompt get the inodes of deleted files irrespective of debugfs versions.

One more thing to share, that it works even with file system mounted and for both ext2/ext3. Also when you type command logdump -i , please take the latest Blocks: (0+1): entry as on some systems Blocks: (0+1): entry may not be the last entry.

@vmintam and @sathish , it is working even if you dont know inode number, just use ls -d to see inode of deleted file.

example, i deleted a file in /tmp, and name of file is : test_again,txt , i’m using ls -d /tmp for find inode of deleted file. But in /tmp, there are many files which i deleted. (about larger 1000 deleted files ).